I've recently been hit pretty hard with a nasty DDoS attack on a site of
mine.
With http://wiki.nginx.org/HttpLimitReqModule and
http://wiki.nginx.org/HttpLimitZoneModule I was able to mitigate the
attack reasonably well, but neither of these modules do what I'd really
like to have done - temporarily serve only a plain 4xx or 5xx error
message to any IP that is exhibiting clearly abusive behavior, like
requesting the exact same page over and over again, or attempting to
make a large amount of parallel connections (100+) at once. This should
be in effect for a configurable amount of time, but just 10 minutes or
so would have worked well against my recent attack, as each attacking
bot only tends to attack for a few minutes before its replaced by
another bot.
So my suggestion is either adding functionality to the Limit modules, or
adding a new DDoS module which would use a set amount of memory to keep
tab of all IPs that have requested anything in the past 10-15 seconds,
and can mitigate DDoS attacks by analyzing recent request and connect
patterns by IP.
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,147105,147105#msg-147105